The digital asset landscape is currently grappling with a sophisticated and increasingly lucrative wave of investment scams that accounted for an estimated $14 billion in illicit on-chain activity during 2025, a figure that analysts suggest could climb to $17 billion as more addresses are linked to criminal networks. This surge in fraudulent activity was the primary focus of the inaugural session of "Chain of Thought," a new expert-hosted webinar series designed to provide a behind-the-scenes look at real-world investigations and emerging crypto crime trends. During the session, titled "Inside an Investment Scam Operation," Chainalysis investigators Seth DuBois and Renato Bastos provided a comprehensive breakdown of "approval phishing," a specific typology that has become a cornerstone of modern crypto-based financial crime.
According to data presented by the investigators, the financial impact of these scams is intensifying. While the total volume of funds stolen is staggering, the efficiency of individual operations is also on the rise. The average payment to a single scam address surged by 253% year-over-year, indicating that scammers are successfully targeting high-net-worth individuals or convincing victims to commit larger portions of their portfolios. Furthermore, the integration of artificial intelligence (AI) into these operations has acted as a significant force multiplier; scams augmented by AI tools were found to be 4.5 times more profitable than traditional manual efforts, likely due to the ability of AI to maintain consistent, persuasive narratives across multiple languages and time zones.
The Mechanics of Approval Phishing
Approval phishing represents a tactical evolution from traditional credential theft. In a standard phishing attack, a criminal attempts to steal a victim’s private keys or seed phrase to gain total control over a wallet. In contrast, approval phishing exploits the "approve" function of smart contracts—a legitimate feature of decentralized finance (DeFi) protocols that allows a third-party application to move a specific amount of tokens on a user’s behalf.
Scammers trick victims into signing a transaction that appears innocuous, such as a request to "verify" a wallet or "participate" in a fake investment platform. In reality, the victim is granting the scammer’s address permission to spend an unlimited amount of a specific token from their wallet. Once this approval is granted, the scammer does not need the victim’s private key to drain the funds. They can execute a "transferFrom" function at any time, moving the assets to a series of controlled wallets.
Renato Bastos, a lead investigator at Chainalysis, emphasized that the timing of the theft is often strategic. "The scammer can now drain the victim’s wallet whenever they please," Bastos explained. "They might move instantaneously or lurk until an ideal moment, like right after the victim deposits fresh funds from their exchange." This "lurking" tactic allows criminals to maximize their take, often waiting until the victim has been socially engineered into "topping up" their balance for a purported high-yield opportunity.
The Social Engineering Playbook
Before the technical execution of an approval phishing attack, a complex social engineering operation typically takes place. These operations often fall under the umbrella of "pig butchering" scams, where attackers build long-term relationships with victims to gain their trust. Investigators highlighted several red flags that often precede a technical strike:
- Unsolicited Contact via Encrypted Apps: Scammers frequently initiate contact through platforms like WhatsApp, Telegram, or LinkedIn, often pretending to have reached a "wrong number" or offering exclusive investment advice.
- The Illusion of Guaranteed Returns: Victims are lured with promises of low-risk, high-reward investments, often supported by fabricated screenshots of "profitable" trading accounts.
- Induced Urgency: As the scam progresses, the attacker creates a sense of crisis or a "limited-time" opportunity, pressuring the victim to act quickly and bypass their own security checks.
- Instructional Guidance: The scammer often provides step-by-step instructions on how to use crypto exchanges and DeFi wallets, specifically guiding the victim toward the malicious "approval" link.
Compliance professionals and financial institutions are increasingly being trained to recognize these human signals. By identifying customers who are being coached through transactions or who exhibit sudden, high-volume transfers to unknown DeFi platforms, institutions can intervene before the "approval" is signed.
A Chronology of Global Disruption: Operations Spincaster, DeCloak, and Atlantic
The fight against approval phishing has moved from individual investigations to large-scale, coordinated international operations. Chainalysis has been at the forefront of this shift, utilizing on-chain data to identify patterns in how scammers reuse their infrastructure. Because criminals often use the same "spender contracts" and cash-out routes across thousands of victims, their activity leaves a traceable "fingerprint" on the blockchain.
In 2024, the launch of Operation Spincaster marked a turning point in public-private collaboration. Spanning six countries, this initiative processed over 7,000 leads and resulted in the disruption of approximately $162 million in potential losses. One notable success involved a would-be victim who was alerted by law enforcement just as they were being targeted; the victim was able to revoke the scammer’s approval before losing a six-figure sum.
This was followed by Operation DeCloak, a localized but highly effective effort in Delta, British Columbia. By equipping local police with advanced blockchain tracing tools, authorities were able to freeze and return stolen funds to victims within a city of just 100,000 people, proving that crypto-tracing capabilities are no longer reserved for federal agencies.
Most recently, Operation Atlantic demonstrated the power of multi-jurisdictional cooperation. Led by the UK’s National Crime Agency (NCA), the US Secret Service (USSS), the Ontario Provincial Police (OPP), and the Ontario Securities Commission (OSC), the operation identified more than 20,000 victims across North America and Britain. With support from Chainalysis, officials froze over $12 million in suspected criminal proceeds and traced an additional $45 million in stolen crypto linked to various investment schemes.
Turning Blockchain Intelligence into a Standing Capability
The recurring nature of scam infrastructure—specifically the reuse of consolidation wallets and exchange deposit addresses—means that what was once a manual, ad hoc investigation can now be automated. Seth DuBois, who has led numerous investigations into approval phishing, noted that "the typology becomes a query you can automate."
To effectively disrupt these networks, Chainalysis experts recommend four strategic shifts for financial institutions and law enforcement:
- Upstream Detection: Moving beyond reactive reporting to identify malicious spender contracts as soon as they are deployed or begin interacting with victims.
- Rapid Lead Pivoting: Using on-chain data to immediately link a single victim report to a wider network of addresses, allowing for the identification of thousands of other potential victims in real-time.
- Disruption Networks: Building stronger pipelines between private sector exchanges, blockchain analytics firms, and law enforcement to facilitate the freezing of funds at the point of cash-out.
- In-House Expertise: Developing internal teams capable of navigating blockchain explorers and interpreting smart contract interactions to make faster decisions on suspicious transactions.
Implications for the Broader Crypto Ecosystem
The rise of approval phishing has significant implications for the future of crypto regulation and user interface design. As the industry matures, there is increasing pressure on wallet providers to improve the clarity of the "approve" function. Many modern wallets have begun implementing "approval spending limits" and clear warnings when a user is about to grant unlimited access to their funds.
From a regulatory standpoint, the $17 billion scam figure for 2025 underscores the need for continued global cooperation. The success of Operation Atlantic suggests that when law enforcement agencies share data across borders, the "irreversible" nature of blockchain transactions can be countered by the speed of legal intervention. However, the 4.5x profitability of AI-driven scams suggests that the "arms race" between scammers and investigators is accelerating.
The Chain of Thought webinar concluded with a call to action for retail investors and institutions alike. For the individual, the advice remains grounded in "common-sense security": verifying URLs, avoiding links from unverified group chats, and maintaining skepticism toward any investment opportunity that requires coached transactions. For the industry, the goal is to transform the transparency of the blockchain from a tool for criminals into a permanent, automated shield for users.
As the digital asset market continues to evolve, the methodologies established in Operations Spincaster and Atlantic will likely serve as the blueprint for future efforts to secure the ecosystem against the persistent threat of sophisticated investment fraud.
